By Cesar Cerrudo, CTO, IOActive
This article was originally published in Forbes.com
Three years ago, I published a whitepaper titled, “An Emerging US (and World) Threat: Cities Wide Open to Cyber Attacks.” It turns out that some of the cyberattacks and threats I described came to fruition, and this just seems to be the tip of the iceberg. Soon, everyone living in a city may suffer the consequences of cyberattacks in some capacity.
What I learned while compiling my research for my whitepaper is that most technologies being used in cities services and infrastructure around the world are insecure and can be hacked. I described some of the technologies, cybersecurity problems, possible cyber threats, attacks and attackers. I concluded that the more technology cities use, the more vulnerable to cyberattacks they could become.
Now after three years, some different types of cyberattacks I wrote about have actually taken place, and they are becoming more common:
• December 23, 2015 — Ukraine’s power grid: Attackers compromised three energy distribution companies systems, affecting 30 substations and leaving 230,000 people without electricity.
•March 2016 — Undisclosed city water treatment plant: Attackers changed the levels of chemicals used to treat water, and the data of 2.5 million utility customers was compromised.
• November 4, 2016 — Sweden air traffic Control systems: Attack affected several airports, preventing air traffic controllers from seeing aircraft on their screens. This resulted in the cancellation of multiple domestic and international flights and affected thousands of people.
• November 25, 2016 — San Francisco Municipal Railway: Systems were infected by ransomware, attackers demanded 100 Bitcoins ($70,000 at that time).
• April 7, 2017 — Dallas emergency alarms: Attackers activated 156 emergency sirens at 11:40 p.m., waking up and frightening a lot of people until 1:20 a.m. when the alarms were turned off. The incident resulted in 4,400 calls to 911.
• October 11, 2017 — Sweden Transport Administration systems: A distributed-denial-of-service (DDoS) attack affected systems that monitor trains. It also affected the federal agency email system, website and road traffic maps. Train traffic and other services had to be managed manually, using backup processes. Some trains stopped and had delays that affected thousands of passengers.
• November 18, 2017 —Sacramento Regional Transit systems: A ransomware attack deleted 30 million files, and the attackers demanded $7,000 in Bitcoin.
• March 22, 2018 — Atlanta municipal systems: Attackers used ransomware to infect city systems. They demanded $51,000 in digital currency and caused outages across various important city systems.
It’s clear that cyberattacks on city systems and infrastructure are increasing every year, with a growing impact on people, too. While some attacks are prevented or stopped before they become major incidents, any successful attack can cause serious disruptions that affect thousands of people.
At the time I wrote the whitepaper, I wasn’t worried too much about the cyber threats and attacks because I thought there was still time to start improving cybersecurity. Also, I wrongly assumed that stakeholders (technology vendors, government officials, the general public, etc.) would pay attention and take immediate action.
I didn’t want to point out problems without doing anything else since these cybersecurity problems affect everyone living in cities (and that includes me). I eventually took action. In May 2015, with the help of my employer, colleagues and other organizations, we started Securing Smart Cities,a nonprofit organization that works on cybersecurity challenges that cities across the world are facing.Working at Securing Smart Cities, we have created several useful resources for anyone interested in improving cybersecurity in cities. It has been a great effort and we think we have contributed as much as we can, but there is still a lot of work to do since cybersecurity problems seem to be increasing and not disappearing.
There are other important nonprofits with great resources and outreach capabilities such as 100 Resilient Cities. Although this organization, which was created by the Rockefeller Foundation, doesn’t place a strong emphasis on cybersecurity, it still aims to help cities become more resilient to common challenges (and one can assume that with the increase of cyberattacks carried out against cities, 100RC will eventually make this a top priority). There’s also the National Institute of Standards and Technology (NIST), a division of the U.S. Department of Commerce that has created two critical frameworks that “allow smart city infrastructures to achieve cybersecure interoperability.”
I will keep doing my best and continue creating public awareness, but I would like to encourage everyone to get involved in any way you can and take action. We are all inhabitants of some city and we are all currently exposed to the threat of cyberattacks. Politicians should hear loud and clear that cybersecurity problems are real and that there is an urgent need to do something about them or we will continue to suffer serious consequences.